Web Resource Authorization 2.x-3.0.x

Protecting URLs

If one attempted to differentiate between web resource authorization and domain object authorization, one could say that web resource authorization is more coarse-grained. It protects web resources, all of which are uniquely identified by a URL. URLs can point to static resources like images or they can point to dynamic resources such as the pages of a web application. Web resource authorization, as used in this document, deals with the latter. Web security is referred to as coarse-grained since web resource authorization doesn't enforce security on methods or even instances that are involved in dynamically creating a web page. That's not to say that one can't have finer grain control using domain object authorization--it's just that web resource authorization is the first security gate through which a user must pass.

Protecting URLs with Acegi Security

The Pentaho BI Platform comes out-of-the-box using a configuration setup very similar to the Contacts Sample Application. This sample comes with the Acegi Security download. The platform uses a standard Acegi Security setup that is well-documented in the Acegi Security documentation.

Warning: All characters between the \A and \Z must be lowercase in order for a match to occur.

Below, a FilterSecurityInterceptor is defined along with an AccessDecisionManager. The two beans are associated through the accessDecisionManager property. The objectDefinitionSource property associates URL patterns with the role required to view pages that match the URL pattern. RoleVoter specifies that if any role on the right hand side of the equals is granted to the user, the user may view any page that matches that URL pattern.

applicationContext-acegi-security.xml
<bean id="filterInvocationInterceptor"
  class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
  <property name="authenticationManager">
    <ref local="authenticationManager" />
  </property>
  <property name="accessDecisionManager">
    <ref local="httpRequestAccessDecisionManager" />
  </property>
  <property name="objectDefinitionSource">
    <value>
      <![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
// some lines omitted
\A/login.*\Z=Anonymous,Authenticated
\A/j_acegi_security_check.*\Z=Anonymous,Authenticated
\A/admin.*\Z=Admin
// some lines omitted
\A/logout.*\Z=Anonymous
\A/.*\Z=Authenticated
        ]]>
      </value>
    </property>
  </bean>

<bean id="httpRequestAccessDecisionManager"
  class="org.acegisecurity.vote.AffirmativeBased">
  <property name="allowIfAllAbstainDecisions" value="false" />
  <property name="decisionVoters">
    <list>
      <ref bean="roleVoter" />
    </list>
  </property>
</bean>
applicationContext-common-authorization.xml
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
  <property name="rolePrefix" value="" />
</bean>